A Preliminary Study on Common Programming Mistakes that Lead to Buffer Overflow Vulnerability

When vulnerabilities are exploited, the impact can be insignificant or detrimental, depending on the attack’s nature. Research found that buffer overflow is one of the most widespread and frequently reported vulnerabilities that result in system crashes. This study investigates the frequent errors in the source code of production software that lead to buffer overflow such that its causes can be determined. The findings of the study can help guide developers to avoid these programming errors. Therefore, our study’s primary objective is to analyze vulnerable code components of software repositories and extract the developers’ frequent programming mistakes that have resulted in a buffer overflow attack. Sixteen vulnerable code components and relevant resolutions were selected from three popular and well-known systems: Android, Eclipse, and Red Hat, to be analyzed. The results show that lack of input sanitization, improper checking of array bounds and parameters, and the lack of value and range checks on variables are the most common programming issues that lead to a buffer overflow in these systems. We also found improper use of "If" and "While" loop conditions frequently contributed to the errors in bounds and variable checks.